Editor’s Note: Steve Cobb is Chief Information Security Officer (CISO) for One Source, a Greenville, N.C.-based managed services provider (MSP). The company was among those nominated for an award from NC TECH. Cobb possesses more than 25 years of business IT leadership on strategic deployment of IT infrastructure, cybersecurity, incident response, and cyber threat intelligence. This article is exclusively published on WRAL TechWire.
GREENVILLE – While “shadow IT” might seem like a shady concept, it’s a common practice in companies today that’s mostly driven by well-intentioned but busy leaders. Shadow IT describes the procurement and use of IT-related hardware, software, or services such as telecom connectivity, without the explicit approval of the IT department.
Shadow IT often happens in response to the mounting pressures leaders face to increase productivity, eliminate bottlenecks, and quickly respond to customer needs. It can have benefits in the short term, while also decentralizing the technology environment, which creates a gap between business units and IT department that can result in a multitude of security risks.
Shadow IT has become a more pervasive problem since the COVID-19 pandemic began in early 2020 because of the number of people who now work remotely.
‘Cyber is the most dangerous weapon in the world,’ execs warn
Employees in the dark
One of the major obstacles for companies in addressing shadow IT is establishing and communicating internal IT policies. According to a report from Entrust Datacard, 37% of IT pros say their organization lacks clarity on internal consequences for using new technologies without IT approval. And 77% agree that if left unchecked, shadow IT will become a bigger issue at their company by 2025, the report highlighted.
Further, Gartner had previously estimated that by 2020, a third of successful attacks experienced by enterprises would be on their shadow IT resources. And with the total average cost of a data breach now clocking in at $4.24 million, according to research from IBM, any threat to an organization must be addressed immediately.
Nearly 9 in 10 Americans worry about data breaches, survey finds
Biggest cybersecurity risks
- Holes in security–Shadow IT creates dangerous holes in a company’s security environment, making it easier for threat actors to access critical information. The massive shift towards adopting digital transformative tech, such as SaaS tools, makes it harder to know where these holes exist, causing security departments to implement cloud-based monitoring tools.
- Low visibility–Companies need visibility into their technology environment to be able to accurately detect all threats before they evolve and cause a data breach. Shadow IT makes this impossible because all unsanctioned devices, software, and services aren’t seen by the IT department. They can’t fix what they can’t see.
- Increased possibility of data loss–Employees who store data in personal cloud file-hosting services and on personal devices significantly increase the possibility of data loss. Most employees don’t worry about implementing backup systems, so this information is left unprotected.
- Compliance issues–Shadow IT creates uncontrolled data flow that can lead to serious compliance issues. The discovery of unapproved software can result in a government audit, leading to potentially hefty fines.
- Disrupted workflows–When employees are choosing their own tools and platforms, the potential for non-compatible file types increases. It also becomes difficult for employees to collaborate across the organization when they have several different tools that all do essentially the same thing.
Ultimately, Shadow IT creates the danger of the unknown. And because many of the technologies associated with Shadow IT haven’t been vetted by the IT department, they don’t undergo the same security procedures.
Shining the light on shadow IT
Business leaders and IT teams must gain and maintain visibility into shadow IT to help address these security and compliance risks. Employees are often unaware of resources they have internally and that is why they take matters into their own hands and implement new technology without IT involvement. It’s a good idea to educate employees and end-users on technologies available that have already been implemented or vetted by the IT department.
In addition to communicating the availability of current tools, efforts should be made to educate employees about security awareness, including the security risks associated with implementing technologies without going through IT first. Having a clear policy and process in place for employees to go through IT to get new technologies can help create better synergy between business units and the IT department.
Because Shadow IT is a complex issue, it will require the merging of technology, industry knowledge and dedicated team members to establish a centralized approach for IT procedures. Some businesses may have resources in-house to manage these tools while others choose to work with a service partner that can conduct processes for asset inventory, invoice management/auditing, contract management and cost recovery to help strike the right balance.
